Focus Keyword: North Korea crypto hack 2026 Meta Description: TRM Labs reveals North Korean hackers stole 76% of all 2026 crypto hack losses through just two attacks — the $285M Drift and $292M KelpDAO breaches. Category: Blockchain News Tags: North Korea, crypto hack, Drift Protocol, KelpDAO, TRM Labs, cybersecurity
—
North Korean state-backed hackers have pulled off something that no cybersecurity playbook had fully anticipated: stealing three-quarters of the entire crypto industry’s hack losses in a single quarter using just two operations. According to a new report from blockchain intelligence firm TRM Labs, groups linked to Pyongyang are responsible for approximately $577 million in theft through April 2026 — representing 76% of all crypto hack value lost so far this year.
The numbers land at a moment when the industry thought it had started building more robust defenses. It had not.
Two Attacks, One Catastrophic Quarter
The first breach hit Drift Protocol on April 1. Hackers walked away with $285 million after what TRM describes as an “unprecedented in-person social engineering” campaign that unfolded over months before the actual exploit. North Korean operatives reportedly spent weeks physically embedding themselves near protocol insiders, cultivating trust and access before executing the drain in approximately 12 minutes. The pre-attack staging alone took three weeks of on-chain preparation.
The second blow came just 17 days later. On April 18, KelpDAO’s LayerZero bridge was exploited for $292 million through a single-verifier design flaw — a fundamental architectural weakness that allowed attackers to forge cross-chain messages and drain the vault.
Together, these two incidents account for 3% of all 2026 hack incidents by count, but 76% of stolen value. That ratio — a small number of strikes with disproportionate damage — has become North Korea’s signature.
The Laundering Split: Two Very Different Playbooks
What makes TRM’s report particularly striking is the divergence in how the two hacking groups handled their proceeds afterward.
After the Drift breach, funds moved quickly across chains to Ethereum in a cross-chain speedrun, then went dormant. As of the report’s publication, those funds remain parked and unmoved — a pattern TRM says may indicate the group is waiting for heat to die down before attempting liquidation.
The KelpDAO hackers took a more aggressive route. After Arbitrum froze $75 million of the stolen funds, the remaining proceeds were funneled through THORChain, converting stolen ETH to Bitcoin in what TRM calls a “textbook TraderTraitor liquidation process.” THORChain, a decentralized cross-chain liquidity protocol, has now processed the majority of proceeds from both the 2025 Bybit breach and the 2026 KelpDAO hack — with no operator stepping in to freeze or reject transfers.
“THORChain is the consistent bridge of choice across North Korea’s largest heists,” TRM noted in its report.
$6 Billion Stolen Since 2017
The two April attacks push North Korea’s cumulative crypto theft to over $6 billion in attributed incidents since 2017. The acceleration in both scale and sophistication has alarmed regulators and exchanges alike.
TRM’s Beacon Network — a consortium of 30+ exchanges and DeFi protocols — provides cross-platform alerts when North Korea-linked funds reach participating institutions before withdrawals clear. But the sheer speed of execution in operations like Drift (complete drain in 12 minutes) leaves little window for intervention.
The Drift hack’s social engineering component is drawing particular attention from security researchers. The use of long-term in-person infiltration to compromise protocol signers marks a shift from purely technical exploits toward hybrid attacks that blend intelligence tradecraft with on-chain execution.
What This Means for the DeFi Sector
The back-to-back attacks have reignited debate over single-point-of-failure architectures in DeFi. The KelpDAO exploit specifically targeted a bridge using a single-verifier design — a known risk that many protocols have still not addressed.
Security researchers are pointing to three systemic failures exposed by April’s carnage:
– Bridge architecture risk: Single-verifier or low-threshold multisig bridges remain catastrophically vulnerable to targeted compromise. – Insider threat blindspot: Traditional DeFi security audits focus on code, not people. The Drift breach shows that human vectors can bypass even well-audited smart contracts. – Laundering infrastructure: THORChain’s unwillingness to enforce sanctions compliance continues to serve as a critical off-ramp for state-level actors moving hundreds of millions in stolen funds.
Industry observers are now calling on major DeFi protocols to mandate multi-party computation for all signing operations, implement anomaly detection on signer behavior, and push for minimum-threshold governance on any bridge managing over $50 million in TVL.
The Broader Picture: State-Sponsored Theft at Scale
North Korea’s crypto theft operation is not opportunistic. It is a state revenue program. The Lazarus Group and affiliated entities have been used to fund ballistic missile programs, evade sanctions, and generate hard currency for the regime at a scale that traditional financial enforcement cannot easily disrupt.
The 2025 Bybit hack — attributed to the same ecosystem — netted over $1.5 billion and remains one of the largest single theft events in crypto history. The 2026 attacks suggest that capability has not diminished. If anything, the Drift operation’s multi-month human intelligence component indicates a maturing, more patient approach to high-value targets.
For DeFi protocols, institutional custodians, and bridge operators, the message from TRM’s data is unambiguous: the threat is not random. These actors research targets methodically, exploit architectural and human weaknesses with precision, and move funds through compliant-resistant infrastructure with practiced efficiency.
FAQ
Q: How did North Korean hackers access Drift Protocol? A: TRM Labs describes the Drift breach as involving months of in-person social engineering — operatives reportedly built real-world relationships with protocol insiders before compromising signing keys and draining $285 million in approximately 12 minutes.
Q: Why does THORChain keep appearing in North Korea hack laundering? A: THORChain is a decentralized cross-chain exchange that allows swapping assets across blockchains without centralized custody. Because no single operator controls it and it lacks KYC requirements, it has become the preferred off-ramp for state-backed actors moving large stolen crypto positions — with no freeze mechanism available.
Q: What percentage of crypto hacks in 2026 are linked to North Korea? A: According to TRM Labs, North Korean hacking groups are responsible for 76% of all crypto hack losses by value through April 2026, despite accounting for only 3% of total incidents by count.
— *Sources: TRM Labs Blockchain Intelligence Report (May 2026), The Block, CoinDesk*
